dhcpcd icon indicating copy to clipboard operation
dhcpcd copied to clipboard
verified publisher icon NetworkConfiguration

FreeBSD may require prefer_source with inet6

Open dmarker opened this issue 11 months ago • 3 comments

This may be a FreeBSD issue not a dhcpcd issue, not sure. Using FreeBSD14.1 and dhcpcd-10.0.10.

From the ifconfig(8) man page I found:

 prefer_source
         Set a flag to prefer address as a candidate of the source address
         for outgoing packets.

There are two cases where this would be helpful. The first is when a RA has managed flag set. In that case my firewall (using dhcpcd) first gets a /64 SLAAC that it then uses to pick up a /128 from DHCP6. But my ISP appears to filter the initial /64 address to only allow it to talk to their DHCP6 server. This leads to me not being able to ping6 from the firewall (although hosts behind it have no issue).

The second case is when I set slaac private temporary for a host behind the firewall. It gets a private and temporary address but prefers the private address unlike my mac which will prefer its temporary address.

On my firewall I can see (addresses redacted) the following was configured by dhcpcd:

root@charon:~ # ifconfig wan0
wan0: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
        options=4e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV
6,HWSTATS,MEXTPG>
        ether 00:e0:67:10:8d:3c
        inet 100.65.195.250 netmask 0xffffc000 broadcast 100.65.255.255
        inet6 fe80::2e0:67ff:fe10:8d3c%wan0 prefixlen 64 scopeid 0x1
        inet6 2xxx:xxx:xxxx:1000:2e0:67ff:fe10:8d3c prefixlen 64 tentative autoconf pltime 604800 vltime 2592000
        inet6 2xxx:xxx:xxxx:1000::1a prefixlen 128 pltime 72000 vltime 86400
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>

Both addresses share the initial 2xxx:xxx:xxxx:1000 prefix. One works and one does not. The hosts behind firewall do NOT share same prefix, they are delegated 2xxx:xxx:xxxx:8087 prefix and they work fine. And this is typically what happens when I try to ping6 from the firewall.

root@charon:~ # ping6 google.com
PING(56=40+8+8 bytes) 2xxx:xxx:xxxx:1000:2e0:67ff:fe10:8d3c --> 2800:3f0:4004:806::200e

That will eventually time out. Now if I ping from something behind the firewall and switch back to the firewall ping6 works (often but not always).

root@charon:~ # ping6 google.com
PING(56=40+8+8 bytes) 2xxx:xxx:xxxx:1000::1a --> 2800:3f0:4004:806::200e
16 bytes from 2800:3f0:4004:806::200e, icmp_seq=0 hlim=113 time=35.224 ms

At a random time it will switch back to the other address and fail pings again. netstat -rn is no different when it works or does not work. running ifconfig and adding the prefer_source permanently fixes (until my lease ends anyway), not sure if it will force using temporary address but I have not verified that.

It isn't critical to be able to ping6 from the firewall but it is confusing when I'm troubleshooting other issues.

dmarker avatar Jan 29 '25 21:01 dmarker

The temporary address just required me to tell FreeBSD to prefer it with

sysctl -w net.inet6.ip6.prefer_tempaddr=1

so the second case for when I set slaac private temporary is no longer an issue.

dmarker avatar Feb 03 '25 14:02 dmarker

@dmarker the ::1a address is marked tentative in your ifconfig output .... does that flag ever drop? If not that is the issue.

rsmarples avatar Feb 05 '25 20:02 rsmarples

It does indeed eventually drop and once it has things work. Have not figured out how long the delay is for that. Thanks!

dmarker avatar Apr 05 '25 12:04 dmarker